A Vision for Distributed Red Team Operations

February 12, 2013

Last year I gave a talk on Force Multipliers for Red Team Operations. In that talk, I elaborated on my search for capabilities that make us more effective with our hacking tools. I spelled out three areas of work: collaboration, automation, and distribution. I’ve put a lot of work into collaboration capabilities already and the DARPA-funded Cortanastarted my exploration of automation.

My Force Multipliers talk left the distribution question open. How do we use our team hacking tools through multiple points of presence on the internet? Today’s Cobalt Strike update is my answer to this question.

You may now use one Cobalt Strike client to manage multiple team servers spread out around the internet.

Here’s how it works:

When you connect to two or more servers, Cobalt Strike will show a switchbar with buttons for each server at the bottom of your window. Click a button to make that server active. It’s a lot like using tabs to switch between pages in a web browser.

To make use of multiple servers, designate a role for each one. Assign names to each server’s button to easily remember its role.

Dumbly connecting to multiple servers isn’t very exciting. The fun comes when you seamlessly use Cobalt Strike features across servers. For example:

Designate one server for phishing and another for reconaissance. Go to the reconaissance server, setup the system profiler application. Use the phishing tool to deliver the reconaissance website through the phishing server. This is easy to do because Cobalt Strike’s phishing dialog lets you embed a site from any server you’re connected to.

Web drive-by exploits are especially interesting. Clone a website and embed an exploit on one server. Set the embedded exploit to reference a Beacon listener on another server. When a vulnerable user visits this site, their system will start beaconing to the beacon server.

This is trivial to do because Cobalt Strike will let you setup an attack that references a listener on any server you’re connected to.

Distributed operations has its drawbacks. Each penetration testing server is a silo with a limited picture of the engagement. Cobalt Strike makes great strides to solve this problem. When you ask for a report, Cobalt Strike queries each server you’re connected to, combines the data, and generates one report. For example, if you send a phishing attack from one server and it references a site on another server, Cobalt Strike will cross-reference the information from both servers and present a coherent picture of the social engineering engagement.

Are you curious what all of this looks like? Watch the video:

This distributed operations capability is in today’s Cobalt Strike update. Grab a 21-day trial to try it out. Licensed users may update Cobalt Strike with the included update program. See the releasenotes.txt file for a full list of changes in today’s update.